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Oblivious Transfer over Wireless Channels 

Jithin Ravi*, Bikash Kumar Dey*, Emanuele Viterbo^^ 


Abstract —We consider the problem of oblivious transfer (OT) 
over OFDM and MIMO wireless communication systems where 
only the receiver knows the channel state information. The sender 
and receiver also have unlimited access to a noise-free real 
channel. Using a physical layer approach, based on the properties 
of the noisy fading channel, we propose a scheme that enables 
the transmitter to send obliviously one-of-two files, l.e., without 
knowing which one has been actually requested by the receiver, 
while also ensuring that the receiver does not get any information 
about the other file. 

I. Introduction 

Consider a movie server, or a server of medical database. 
A subscriber wants a specific item (a movie, or information 
about a specific disease) without the server being able to know 
which item is desired by the subscriber. The subscriber is also 
not allowed to gain any significant information about any other 
item. This is an example of oblivious transfer. 

In one-out-of-two string oblivious transfer (OT), one party, 
Alice, has two files and the other party. Bob, wants one of 
these files. Bob needs to obtain the required file without Alice 
finding out the identity of the file chosen by him. Bob should 
also not be able to recover any significant information about 
the other file. Alice and Bob are assumed to be “honest but 
curious” participants - they follow the agreed protocol but are 
also curious to gain additional knowledge of the other’s data 
from their own observations during the protocol im, 0. 

OT has been studied in various forms for some time in 
cryptography 0, 0. It is a special case of secure function 
computation problems, where multiple parties want to compute 
a function without revealing additional information about their 
data to other parties. It was shown by Kilian 0 that an OT 
protocol can be used as a subroutine to devise a protocol for 
two-party secure function computation for any function that is 
representable by a boolean circuit. 

It is well known that OT can not be performed only by 
interactive communication over a noise-free channel. The OT 
is thus studied with a noisy channel as a critical resource in 
addition to unlimited access to a noise-free channel. The OT 
capacity is the largest length of file that can be transferred, per 
use of the noisy channel, between Alice and Bob. In 0, 0, 
one-out-of-two string OT has been studied when the noisy 
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channel between Alice and Bob is a Discrete Memoryless 
Channel (DMC). An upper bound for the OT capacity of a 
DMC was given in 0 and it was shown that the given upper 
bound is achievable by a simple scheme for binary erasure 
channels (BEC). Multi-user variants of OT have been studied 
over broadcast erasure channels in 0, 0. 

One-out-of-two string OT has been considered in the context 
of AWGN channels in 0, where a protocol was proposed. The 
case of fast fading wireless channels has also been discussed 
in 0, where the fading state varies in each transmission and 
is not known to the transmitter or the receiver. Under such 
assumption, the channel can be modeled by the conditional 
probability distribution py\x with the channel state marginal¬ 
ized. The fading state does not directly provide any additional 
advantage in OT here, other than through its influence on 
Py\x- The OT capacity is not known for many important 
channels including AWGN and binary symmetric channels. 

In this paper, we consider OT over two classes of wireless 
slow-fading channels; orthogonal frequency division multi¬ 
plexing (OFDM) channel and multiple input multiple output 
(MIMO) channel, where the fading state information is avail¬ 
able only at the receiver (CSIR), 0. Channels with CSIR 
(Fig. 0 have not been considered for OT before to the best 
of our knowledge. CSIR is a common assumption in wireless 
communication which can be made when the coherence block 
length n is sufficiently large. We allow an interactive protocol 
to run over n uses of the channel during which the channel 
state remains fixed, and in that period the noise-free channel 
can be used any finite number of times. In other words, we 
assume that one run of the OT protocol is completed in one 
coherence block. However, following common principle of 
rate-adaptation used in many wireless communication models, 
the OT rate may vary from block to block depending on the 
channel state. As we will see in our schemes, the knowledge 
of the state only at the receiver is the key to some interesting 
techniques for OT. Our techniques have the flavor of the 
protocol for BECs 0. 


Noise-free channel 
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Fig. 1. Communication setup for oblivious transfer over channels with state 

Communication under secrecy constraints has been studied 
by many authors (see ifTOlH . In particular, private communica¬ 
tion over a wiretap channel in the presence of eavesdropper 
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has been studied extensively ifTTl . 112], ifTJI . lfT4ll . ifTSll . ifT^ . 
In this work, we make use of coding techniques for Gaussian 
wiretap channels as a building block for our achievability 
schemes. 

In both OFDM and MIMO, we rely on the modeling of the 
channel as parallel fading channels. For the MIMO setup, this 
is done using the SVD precoder matrix that is communicated 
by Bob to Alice. The parallel channels are grouped in pairs. 
OT is performed independently at different rates over different 
pairs. 

We show (Theorem [TJ that the best pairing of the parallel 
channels is that of the strongest channel with the weakest, and 
so on with the rest of the channels. The idea of pairing good 
and bad subchannels in OFDM and SVD-precoded MIMO was 
also used in El, US) with the aim of designing signal sets that 
minimize error probability or maximize mutual information. 
Here, we exploit subchannel pairing to guarantee that Alice 
is oblivious to which file is requested and that Bob only 
receives one of the two files. We also derive the optimal power 
allocation among the pairs of channels. 

The paper is organized as follows. Section |I^ presents the 
problem definition and the system model for both OFDM 
and MIMO channels. In Section III we present protocols for 
OT over 2-channels OFDM, 2x2 MIMO and 2x1 MIMO 
channels. We present the general protocol for 2A^-channels 
OFDM and 2N x MIMO models in Section lTV] following a 
common principle. Optimization of our protocol is discussed in 
Section]^ High SNR asymptotics of OT rate for our protocol 
is analyzed in Section |VI| We provide simulation results of 
our OT scheme for simple OFDM and MIMO channels in 


Section VII Finally, we conclude the paper in Section VIII 


The proof of our optimal pairing (Theorem [T]) is presented in 
Appendix 


H. System Model 

Alice (A) and Bob (B) are two parties in the system as 
shown in Fig. Alice has two binary strings Ko,Ki of 
equal length, and Bob wants one of these strings Kc where 
C G {0,1} is Bob’s choice bit. We assume that all the bits in 
(Ko,Ki,C) are i.i.d. ^ Ber{\/2). Alice can communicate 
with Bob over a channel Py\x.s with state S, where the 
state remains fixed over a large block length n, and varies 
from block to block in an i.i.d. manner. The state is known 
to Bob at the beginning of a block. This models wireless 
communication setups, where in a large coherence block of 
length n, the fading state remains fixed, and the fading state 
is known (estimated) by the receiver. This is commonly known 
as the quasi-static channel model l^. lfTOl . In addition to this 
channel, there is also a noise-free channel over which Alice 
and Bob can communicate real numbers between each other 
without any error/distortion. During each block, the noise-free 
channel can be used any finite number of times. The length 
L{S) of Ko,Ki depends on S. Since Bob knows the state 
S at the beginning of a block, he is assumed to compute and 
communicate L{S) to Alice over the noise-free channel. The 
goal of a protocol is to transfer Kc to Bob obliviously, within 
the current block, such that Bob has negligible knowledge 


about K^, and Alice has no knowledge about C {perfect 
secrecy against Alice). 

Our setup can also be used to transfer large files. We then 
need multiple coherence blocks to complete the OT session 
for one pair of files. The two files can be broken into multiple 
chunks to form one pair (Koi,Kii) for each block i. Then 
one run of the protocol is performed in each block, where the 
choice bit C of Bob remains the same over the whole session 
involving many runs of the protocol. 

An (n, L( )) OT protocol is parameterized by the number 
n of channel uses and by a function L( ) of the state S. There 
are a total of k rounds of communication between Alice and 
Bob, including communication over both the noisy and noise- 
free channels. These are indexed by 1, 2, • • • , fc, where k can 
be random and can be dependent on S. But for every S, it 
is required to be finite with probability 1. The noisy channel 
is used at rounds -'' )*«€{!,•■■ ? k}. At every round 

before round ii, between consecutive ij and ij+i, and after 
round Alice and Bob exchange a sequence of real numbers 
over the noise-free channel. In the following, Xi and Yi denote 
respectively the input and the output of the noisy channel 
at time index i. In the following description of the protocol, 
we denote Y® := (Yi,Y 2 ,- ■ ■ ,Yi) for any positive integer i. 
E®, F® are also similarly defined. In the rest of the paper, we 
also denote the transmitted length-n vector by X. The length- 
n vector transmitted by the Z-th antenna (in case of MIMO) or 
over the Z-th subchannel (in case of OFDM) will be denoted 
by Xi = {XiyXi 2 ,--- ,Xin). 


A. The structure of an (n, L(-)) protocol: 

1) Alice has two bit-strings Ko,Ki of length L{S) each, 
and Bob has a choice bit C. Kq, Ki can be substrings of 
two larger strings available with Alice, and their length 
L{S) is computed by Alice based on some information 
about S sent by Bob during the protocol. 

2) Alice and Bob generate private random variables 
Wa,Wb, respectively. 

3) For ij < i < ij^i for every j = 0,1,-- - ,n (as¬ 
suming ig = 0 and in+i = k -\- V), Alice sends 
Ei = £;,(Ko,Ki,FFa,F®- 1) and Bob sends F) = 
Fi{C.S.WB,YA~^,Y^) over the noise-free channel. 
Here F° = E° = Y° = 0. 

4) For i = ij, Alice transmits Xj = 
Xj(Ko, Ki, FFa, r®J“^) over the noisy channel 
and Bob receives Yj. There is no communication 
over the noise-free channel in these rounds, and thus 

E, = F, = {b. 

5) At the end of the protocol. Bob computes Kc = 
K(C,^,1FB,E^Y®®). 


The rate L{S)/n of a protocol as described above is a function 
of the state S, and is denoted by R{S). 


Definition 1 A non-negative rate function R{S) is said to 
be achievable if there is a sequence of {n, {■))-protocols 
such that for every S, ^ > R{S) as n ^ oo, and the 






3 


protocols satisfy the conditions 

P(Kc ^ Kc) ^ 0 

/(KoKiVFaF^C) = 0 

( 1 ) 

The average rate R is the expectation of R{S). The OT 
capacity is the supremum of all achievable average OT rates. 

B. Gaussian wiretap channel 

Wiretap channel has been studied as a standard model 
for communication in the presence of an eavesdropper CD, 
CD- We model our MIMO and OFDM channels as complex 
channels. If Alice and Bob are respectively the transmitter 
and receiver of a complex AWGN channel, and if Eve is a 
wiretapper, whose received symbol is more noisy than that of 
Bob (degraded channel assumption), then the secrecy capacity 
of the wiretapper channel is given by 

where cr^ and (t|, are the variance of the noise at Bob and 
Eve, respectively, and P is the transmit power 03. Encoding 
for such channels involves mixing the message with some 
random bits (with rate equaling the capacity of the wiretapper) 
before encoding for the complex AWGN channels. Bob can 
decode both the message and the random bits as the total 
rate of these is below his capacity, whereas the random bits 
completely hide the message from Eve. Eve gets almost no 
information about the message 03- We will denote this 
channel with power constraint P as WP{P, Practical 

coding schemes approaching the secrecy capacity have been 
proposed for discrete memoryless channels using polar codes 
m and for the Gaussian channel based on lattice codes ll20l . 
under semantic security. 

In this paper we consider two channels with states, OEDM 
and MIMO, as discussed below. The essential technique used 
for OT over both these setups is the same. 

C. The OFDM Setup 

The OEDM setup is modeled in Eig. as 2N paral¬ 
lel fading AWGN channels between Alice and Bob. The 
channel states are given by independent fading coefficients 
Ho, Hi, ■ ■ ■ ,H 2 n-i- If the vector X; = {Xii,Xi 2 , ■ ■ ■ ,X/„) 
is transmitted in n channel uses over the Tth channel for 
Z = 0,1, • • • , 2N — 1, then the received vector over the Z-th 
channel is given by 

Yi=HiXi + Zi, 

where Z; is the noise with i.i.d. real and imaginary parts 
~ A/'(0,1/2). We assume that Hi are i.i.d. with Rayleigh 
distribution. The channel gains remain fixed for a block of 
length n, and change from block to block in an i.i.d. manner. 
We assume that they are known to Bob in the beginning of the 
block. The average transmitted power in any block is restricted 
toP, i.e., 


Noise-free channel 





Fig. 2. The OT setup with independent parallel channels 

D. The MIMO Setup 

Let us consider the MIMO system with transmitter Alice 
and receiver Bob, as shown in Eig. The transmitter has ua 
antennas and the receiver has ns antennas. We assume that ua 
is even. Let X = {Xij)o<i<nA-i denote the complex matrix 

l<_7<n 

transmitted by Alice over n uses of the MIMO channel. The 
received matrix Y is given by 

Y = HX -f Z (3) 

where Z G is the complex Gaussian noise matrix with 

all entries having i.i.d. real and imaginary parts ^ Af(0,1/2) 
and H G represents the complex channel fading 

matrix. The entries of H are assumed to be i.i.d. complex 
random variables with independent real and imaginary parts 
^ Af(0,1/2). H remains fixed over the block of length n, 
and changes in an i.i.d. manner from block to block. The 
average transmit power in any block is constrained to be P, 
I-®-’ assume that H is known 

only to Bob in the beginning of each block. 


Noise-free channel 



Fig. 3. MIMO system for oblivious transfer 

III. The Protocol: Some Examples 

We now show our OT protocols for some simple examples 
to illustrate the basic principle. In all the three examples. Bob 
reveals some partial information about the channel state to 
Alice so that there are, in effect, two parallel channels with 
different SNRs, and Alice does not know which of them is 
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the better channel. Bob reveals the channel over which each 
hie is to be communicated - the desired hie over the stronger 
channel, and the other hie over the weaker channel. Alice uses 
encoding for a suitable wiretap channel so that Bob can decode 
the hie transmitted over the stronger channel, but not the hie 
transmitted over the weaker channel. 

A. 2-Channels OFDM 

Let us consider an OFDM setup with 2 subchannels, each 
of which undergo independent and identical Rayleigh fading. 
For a block, let us dehne 

B = argmax{|iFol, \Hi\} 

W = C®B 

R = C,iP\HB\V2,P\Hj^\y2)-e 

where 0 denotes the modulo-2 addition, Cc{-,-) is given in 
Q, and e > 0 is a pre-chosen constant. 

The protocol: 

1) Bob reveals (FF, \Hb\, \H^\) to Alice over the noise-free 
channel. 

2) Alice takes strings Kq and Ki of length 
L(|iFo|) l^^il) := n-R each. She encodes Kw and 

into two length-n codewords Xq and Xi 
respectively, such that each has an average power P/2. 
A code suitable for WT(^, ) is used 

to encode both the strings. Xq and Xi are transmitted 
over the respective channels. Note that Kc has been 
encoded into Xs, and has been encoded into X^. 

3) Bob receives Yq and Yi with SNR P\Ho\'^/2 and 
P\Hi\'^/2 respectively. He decodes Kc from Y b using 
the decoder for the wiretap channel referred above. 

Correctness of the protocol: Note that Kc is transmitted 
over the stronger channel {B), and K^ is transmitted over 
the weaker channel {B). Bob’s received SNR in the stronger 
channel is P\Hb\‘^/2, whereas his received SNR in the weaker 
channel is P|iLg-p/2. Thus he can decode Kc with vanishing 
probability of error, whereas he can get negligible information 
about K^ as his SNR is that of the wiretapper in this 
channel. Since \Ho\ and |iFi| are independent and identically 
distributed, it is easy to check that I{W\C) = 0, thus Alice 
does not learn anything about Bob’s choice C. 

B. 2x2 MIMO 

Consider a 2 x 2 fading MIMO channel between Alice and 
Bob. Alice and Bob each has 2 antennas. Let H denote the 
2x2 complex fading matrix. The input-output relation for the 
channel is given by Q, where Y, X, Z are 2 x n matrices. 
Let the SVD decomposition of H be given by 

H = UAV^, 

where A is a diagonal matrix with diagonal elements Ao,Ai 
such that Aq > Ai. These are the (real) singular values of H. 
Let Vo, Vi denote the columns of V. We dehne 

(Wo,Wi) = (Vc,Vc) 
and R = Cc(PA^/2, PA?/2) - e (4) 


for some pre-decided e, where the Cc{-, •) above is dehned in 
(|^. Note that 'Wq, Wi are the same as Vq, Vi, but permuted 
depending on C. Bob shares (Wo,Wi) with Alice in our 
protocol, and Alice uses it as the precoding matrix. Bob hrst 
pre-multiplies the received matrix by U^. The resulting end- 
to-end system is shown in Fig. where a switch, controlled 
by Bob’s choice bit C, determines which input of Alice passes 
through which channel to Bob. The hrm lines and dotted lines 
show the two positions of the coupled switch. 


The protocol: 

1) Bob reveals CWq, Wi, Aq, Ai) to Alice over the noise- 
free channel. 

2) The basic transmitter and receiver block diagram is 

shown in Fig. Alice computes R using Q, and takes 
strings Kq and Ki of length L(Ao,Ai) := nR each. 
She encodes Kq and Ki into two length-n codewords 
Xq and Xi respectively, such that each has an average 
power P/2. A code suitable for yVT{^, is 

used to encode both the strings. She then transmits the 
matrix 


[Wo Wi] 


Xo 

Xi 


= WqXq 0 WiXi 
= VoXc + ViXj. 



3) Bob hrst multiplies the received 2 x n matrix by U^. 
The resulting end-to-end channel is given by 


Y = 

’ Yo ‘ 

= U^HV 

■ Xc ■ 

+ U^ 

■ Zo ■ 


_ Yi 


. . 


Zi 


AoXc 

AiXc 


+ U" 


Zo 

Zi 


(5) 


Bob gets Yq and Yi with SNR PXq/2 and PXl/2 
respectively. He decodes Kc from Yq using the decoder 
for the wiretap channel referred above. 


Zo 



Zi 


Fig. 4. MIMO precoding for OT 


Correctness of the protocol: First note that since Y is obtained 
by a unitary (hence invertible) transformation on Y, it contains 
exactly the same information as Y. So we will henceforth treat 
Y as Bob’s received matrix. Since U is a unitary matrix, U^Z 
has the same distribution as that of Z. Also note that Kc is 
encoded into Xc, which is received as Yq with SNR PAg/2. 
Since this encoding is done by Alice for a complex Gaussian 
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wiretap channel with the same receiver SNR, Bob can decode 
Kc with vanishing probability of error. On the other hand, 
Kgr is encoded into X^r, which is received as Yi with SNR 
PX\I2. Bob can get negligible information about as his 
SNR in Yi is that of the wiretapper. This ensures secrecy of 
Alice against Bob. 

About the secrecy of Bob against Alice, first note that 
H is circularly symmetric, and thus (Vo,Vi) and (Vi,Vo) 
have the same distribution, that is, their joint distribution 
is symmetric in Vq and Vi. Also, note that Ao,Ai are 
independent of C, Vq, Vi. Thus 

/(Wo, Wi, Ao, Ai; C) = /(Vc, V^; C) = 0. 

This ensures the secrecy of Bob against Alice. 

As seen in the SVD precoding as shown in Fig. 
transforms the MIMO channel into a parallel fading Gaussian 
channel, where Alice is unsure of which of the two channels 
has the gain Aq, and which has gain Ai. We now discuss the 
2x1 MIMO system where the same technique takes a simple 
elegant form. 

C. 2x1 MIMO 

Consider a 2 x 1 fading MIMO channel between Alice and 
Bob. Let H = (i/g, Hi) denote the 1x2 fading matrix such 
that the symbol received by Bob over the MIMO channel is 
given by 

Y = HX + Z, 

where X = (Xq, Xi)'^ is the vector transmitted by Alice, and 
Z is the noise. Over n uses of the channel, the received vector 
is given by 

Y = HX + Z, 

where X and Z are respectively the 2 x n transmitted matrix 
and the noise vector of length n. Let the SVD of H be 

H = AV" 

where A = (A, 0), A = -^|i/op + |//i P, the first column of 
V is Vq = (1/A)H^, and the second column of V is a unit 
vector Vi orthogonal to H. 

The best way to communicate messages (without any 
secrecy condition) is using SVD precoding wherein Alice 
multiplies her message symbol with the first column of Vq 
and transmits. Bob simply divides the received symbol by A 


and chooses the message symbol nearest to the result. Note 
that if in addition, Alice added any scalar multiple of Vi 
to her transmission, it would not contribute to the received 
symbol as Vi is orthogonal to H. Thus this dimension which 
is orthonormal to H (the null-space of H) is not useful 
for communication, as it has zero gain. This reduces the 
MIMO channel to a single fading AWGN channel with fading 
coefficient A. 

We now give an OT protocol for this channel when only 
Bob has the knowledge of H at the beginning of a block. We 
define 

(Wo,Wi) = (Vc,Vc) (6) 

and i? = log 2 f 1 + - e (7) 

for some pre-decided e. Bob shares (Wq, Wi) with Alice in 
our protocol, and Alice uses it as the precoding matrix. The 
resulting channel is equivalent to what is shown in Fig. 
where a switch, controlled by Bob’s choice bit C, determines 
which input of Alice passes through the channel to Bob. 

The protocol 

1) Bob reveals (Wo,Wi,A) to Alice over the noise-free 
channel. He sets (Wo,Wi) as in 

2) Both Alice and Bob compute L{X) := Rn with R given 
in Q. Alice encodes each of Kg and Ki (of length L{\) 
each) into a n-length vector. She uses a code suitable for 
a complex AWGN channel with SNR ^A^. Let these 
encoded vectors be Xg and Xi respectively. Over n 
uses of the channel, Alice transmits the 2 x n matrix 
WgXg-f AViXi. 

3) Bob receives 

Y = H(WgXo -f WiXi) -I- Z 
= AXc + Z. 

Bob now decodes Kc from Y with probability of error 
going to zero as n —>■ oo. 

A Z 

c 



Fig. 6. The equivalent channel with a switch for 2x1 MIMO setup 


Correctness of the protocol: Since Xc is transmitted in the 
null-space of H, it does not contribute to Bob’s received 
vector. Thus Bob has no information about Since H has 
i.i.d. Gaussian entries, (Vo,Vi) has a distribution which is 
symmetric in Vg and Vi, and A is independent of (Vg, Vi). 
Thus, /(Wg, Wi, A; C) = 0. Thus the secrecy of Bob against 
Alice is met. 
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IV. The General Protocol 

In this section, we present a protocol for the general 2N- 
channels OFDM and 2N x ns-MIMO models. Here we 
assume that Alice has more (2A^) antennas than Bob has (ub)- 
The case ub > 2,N is similar, and is discussed briefly later. 

For the MIMO setup, we first discuss how Bob can reveal 
some partial information about the channel matrix to reduce 
the channel to a parallel channel. We will then treat both 
OFDM and MIMO models as parallel channels and present a 
common OT protocol. The OT protocol will group the parallel 
channels into pairs and perform OT over each pair using 
similar technique as in the previous section. 


A. Reducing MIMO setup to parallel channels 
Let the SVD decomposition of H be given by 

H = UAV^, 


where A is a x 2N diagonal matrix with diagonal elements 
^0 > > A 2 > • • • > XriB-i- Let P be a random 2N x 2N 

permutation matrix chosen by Bob. Note that a permutation 
matrix is unitary, and thus = P~^. Let us add {2N — ub) 
zero rows with to define the 2N x ub matrix 


Bob sends W = VP over the noise-free channel, and Alice 
uses it as the precoding matrix to transmit VPX. Bob first 
multiplies the received vector Y by P^U to get 


Y = P^UY 


= P^ 
= P^ 


APX-f 

0 


A 

0 


PX + P^ 


0 


Let us denote A := (Aq, Ai, • • • 
vector of diagonal elements of 


, A2Ar-i 


A 

0 


as the 2N 
where A; = 


length 
0 for 


l > Ub - Let us also denote Z := 


u^z ■ 
0 


. Let TT denote the 


permutation induced on a vector by pre-multiplication by P^, 
that is, P'^A = (A^(o),A^(i),--- ,A^( 2 Ar-i)) in particular. 
Then 


-I- 


We note that for Tr{l) > ub, A7r(i) = ^7r(/) = 0. This gives a 
set of parallel channels such that 2N — ub of them have zero 
gain and zero noise. These channels are completely useless for 
communication. Since is unitary, U^Z is also i.i.d. with 
independent real and imaginary components ~ Af(0,1/2). 
Since Bob knows P (and so tt), he will neglect the channels 
I for which Tr{l) > ub- To reduce this model to a standard 
parallel AWGN channels model with constant noise variance 
in all channels but different channel gains, we assume that Bob 


adds some independent noise with real and imaginary parts 
^ JV{0, 1/2) to each of the channels for which Tr{l) > ub- 

We now prove a lemma which states that in the resulting 
parallel channels, Alice can not know the order of the channel 
gains. 

Lemma 1 Let H be the channel matrix and P is a permu¬ 
tation matrix chosen uniformly at random. Let W = VP 
denote the precoding matrix sent to Alice by Bob, and A be 
the zero-padded vector of ordered singular values. Then for 
any W and A, and for any two permutations P and P/ we 
have Pr(P|W, A) = Pr(P'|W, A) = 

Proof: V is uniformly distributed over the set of 2N x 2N 
unitary matrices (see ll^ Lemma 5]). Since P is a unitary 
matrix W = VP is also unitary and both VP and VP' are 
Haar matrices with the same uniform distribution over the set 
of 2N X 2N unitary matrices. Hence /w a|p(AV, A|P) = 
/v.a(WP^,A) = /v,a(W,A), and also’7w.A(W, A) = 
/v,a(W,A). SowehavePr(P|W,A) = ^. ■ 

We have now reduced the MIMO channel to a standard 
parallel AWGN channels with different gains (singular values) 
in different subchannels. The above lemma says that from the 
partial channel state information given to Alice, she still would 
be ‘completely uncertain’ about the association of the singular 
values to the resulting subchannels. 

The case of ub > ‘2.N: When ub > 2 A, U is an ub y- nB 
matrix and A is a ub x 2N diagonal matrix with {ub — 2A) 
zero rows. Let the last ub — 2A rows of U^, A and U^Z be 
removed to obtain respectively U, A and Z. As before, Alice 
transmits VPX. Bob first multiplies P^U to the received 
vector to obtain 

Y = P^UY 

= P^APX + P^Z. 

The protocol now continues with the 2A components of Y 
which constitute the output of the 2A parallel channels as 
before. 

In the following, we consider a set of parallel channels 
indexed by 1, 2, • • • , 2A, as depicted in Fig. Such a model 
could have resulted from an OFDM channel or a MIMO chan¬ 
nel under the scheme discussed above. To treat MIMO and 
OFDM in a unified manner in the following, we also assume 
A; = |iT/| to be the channel gains in case of OFDM as they 
provide the same performance. For OFDM, we assume that 
Ai,A 2 ,'-- ,X 2 N are i.i.d. and Rayleigh distributed. We now 
define an OT-pairing of the channels and a power allocation 
under a given total power constraint. 

Definition 2 An OT-pairing of the 2N channels is defined 
using two maps i,k : {1, 2, • • • , A} —>■ {1, 2, • • • , 2A} such 
that 

1) k are 1 — 1 

2) Im{£) n Im{k) = 0 

3) A^(j) > Afe(/) V 1 . 

The ordered pairs of the channels are then {£(1), k(l))]l = 
1,2,... ,A. 
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B. Power allocation 


Alice divides the total average transmit power P between 
the subchannels. In our OT protocol, Alice transmits the same 
power over the subchannels in a pair. Let Pi the average power 
transmitted on each of the subchannels in pair I, that is, in the 
subchannels £{l) and k{l), be Pi. Then Pi > 0 and 

N p 

The rates for the pairs are taken as 

Ri=C,{Pi\lipPi\\i^)-e (9) 

for an arbitrarily small fixed constant e > 0. We denote 
R = (i?i, i? 2 , • • ■ , Rn)- Note that Ri is close to the capacity 
of the wiretap channel >VT(R, Our OT 

protocol for the 2-channels OFDM can be used with average 
power constraint 2 P/ to achieve a rate Ri for each pair of 
subchannels. The total rate achieved is thus 

N 

R = Y,C,{Pi\\ipPi\\,^) - eN. (10) 

For simplicity, we assume that nRi is an integer for each 1. 
We dehne for Z = 1, 2, • • • ,N, 


li = { 710 , 111 ) = {£{1), k{l)) ( 11 ) 

A; = (A£(/), Afe(;)), (12) 


and denote 7 := ( 71 , 72 ,- •• ,7n) and A = (Ai,A 2 ,--- ,Xn)- 
Let T denote the 2N x 2N permutation matrix represent¬ 
ing the transposition of consecutive pairs. T consists of N 


diagonal 2 x 2 blocks 


0 

1 


1 

0 


. We dehne 



into a n-length vector of average power Pi using a 
code for the wiretap channel >VT(Pi, RA^p), 

Alice transmits this vector over n uses of the channel 

lip 

4) Note that from ([T3), he = £{l) and = k{l) for each 
Z = 1,2, • • • ,N. Thus Bob receives 


7 = 



if (7 = 0 
if (7 = 1 


(13) 


Bob shares ( 7 , A) with Alice. From Alice’s point of view, the 
parallel channels appear to be associated with the gains shown 
in Fig. The association of the gains to the channels has one 
bit of uncertainty as depicted by the two possible positions of 
the coupled switches. The position of the switches is controlled 
by (7, and is not known to Alice. We give the protocol below. 


C. The protocol 

1) In case of a MIMO setup. Bob hrst reveals W to Alice, 
and Alice uses it as the precoding matrix. Bob also does 
appropriate pre-processing as discussed in Sec. |IV-A| to 
reduce the channel to a set of parallel channels. 

2) Bob selects an OT pairing £, k and reveals ( 7 , A) to 
Alice over the noise-free channel. He computes these 
using and ( [T^ respectively. 

3) Both Alice and Bob compute Ri using and Li = Rin 
for Z = 1, 2, • • • ,N. Let us denote L = J2^i ^i- P®'' 
each j = 0,1, Alice breaks Kj (of length L) into N sub¬ 
strings Kjj; Z = 1, 2, • • • , of lengths Li respectively. 
For each j = 0,1, and Z = 1, 2, • • • ,N, she encodes Kjj 


Y£(z) = A£(i)Xc; -I- 

Bob now decodes Kc; from with probability of 

error going to zero as n —>■ 00 . 

Correctness of the protocol: Bob can decode JCci from Y 
for each Z with arbitrarily small probability of error. This fol¬ 
lows from standard results in Gaussian wiretap channels ifT^ . 
It also follows that he gets only an arbitrarily small amount 
of information about from X[k(i) in the sense of 0 ns. 

Alice knows that 7 G { 7 , 7 T}. Since 7 and A are revealed 
to Alice during the protocol, the uncertainty in (7 is equivalent 
to the uncertainty in which of l,lT is the value of 7 . 

Now, let us hrst consider an OFDM channel. From the point 
of view of Alice, 

Pr{C = 0 | 7 , A) = Pr {2 = 7I7 e {7, 7 ^}, A) 

= Pr (7 = 7 T| 7 e{ 7 , 7 T},A) (14) 

= Pr{C = l\i,X). 

Here ([T^ follows as we have assumed that the channel gains of 
the parallel channels are i.i.d. This implies that /((7; 7 , A) = 0. 

Similarly, if the parallel channels have resulted from a 
MIMO channel, then Alice has also learned the precoding 




























matrix W. Now, 

Pr(C = 0 |W, 7 ,A) 

= Pr (7 = 7 | W, 7 e { 7 , 7 T}, A) 

= Pr (7 = 7 r| W, 7 e { 7 , 7 T}, A) (15) 
= Pr(C=l|W, 7 ,A). 

Here ® . follows from Lemma [T] Thus we have 
/(C';W, 7 , A) = 0. This proves that Alice does not gain any 
information about C from what she learns during the protocol. 

We now discuss the optimal OT-pairing and the optimal 
power allocation. 


V. Optimization of the protocol 


Let us first consider the simple setup where equal power is 
allocated in all pairs of subchannels, i.e.. 

The capacity for this power allocation is 


N 

R = '^\og 

Z =1 


1 + 


p>^h) 

2N 


N 

-y^iog 


1 + 


pilin ' 

2N 


Clearly, this is maximized if > A^^^ for all l,j. That 
is, provided the best half of the channels form the stronger 
channels of the pairs, the achieved rate is independent of the 
actual pairing. However, this is not true if we have the freedom 
to pair the channels as well as to allocate variable power Pi to 
different pairs. In general, we would like to choose an optimal 
pairing {£{1), k{l)); 1 < I < N and power allocation Pi;i < 
I < N SO as to maximize 


N 

p = y]] log 

/=! 



-y^iog 


1=1 



■ (16) 


The following theorem states that an optimal OT pairing 
couples the best channel with the worst, and so on with the 
remaining channels. 


Theorem 1 An optimal pairing combines the best channel 
with the worst channel and continues similarly with the 
remaining channels. That is, the pairing is given by £{l) = a{l) 
and k{l) = a{2N — Z + 1) for I = I,-- - ,N for some 
permutation a which arranges the gains in a non-increasing 
order. 

The proof of the theorem is given in the appendix. In the 
theorem, the permutation a is such that Xa(i) ^ ^ ^ < 

2N. This result reduces the problem of joint optimization of 
for the best pairing and power allocation to separate 
optimization of the pairing and the power allocation among 
the pairs of channels. With high probability, all the gains 
(Ai, • • • , \ 2 n) distinct. Under this high probability event. 
Theorem [T] gives a unique optimal pairing. We now find the 
optimal power allocation. 

Optimal Power Allocation: In light of Theorem [T] we assume 
that the channels are ordered such that 


and the channel with gain A/ is paired with the channel 
with gain AJ, where AJ = \ 2 N-i+i- Then for a given power 
allocation Pp, 1 < I < N, the achieved rate is 


N 


N 


p(Pi, ■ ■ ■, pn) = Y, iog(i + ml) - Y 

i=i 1=1 


We need to maximize this with respect to the P/s under the 
condition 





Similar optimization was needed for power allocation over 
different fading states for block fading wiretap channel II 2 TI . 
This can be solved by defining the Lagrangian objective 
function 

/ N p 

J = ,P^)-r; y^Pi-- 

\l=l 



The optimal power allocation is given by 


Pi = 




where 




1 / 1 


1 


Af 


A? 


if a; ^ 0 

if a; = 0 


+ 


and rj is determined by the condition 



1=1 


Power allocation across coherence blocks: If variable amount 
of average power is allowed to be transmitted in different 
blocks under a long term average power constraint, then 
potentially higher rates are achievable. Let (Ai, A 2 , • • • , X 2 n) 
denote the random vector that represents the ordered (non¬ 
increasing) channel vector in a block. The optimum pairing in 
each block is still as given by Theorem The optimal power 
allocation is the maximizer of the expected rate 


R = E 


■ JV 

Yi^og{l + Pi{X)Xl) 


J = 1 


— l0g(l -f P/(A)A2 JV_/+i)) 


under the average power constraint 


E 


N 




. 1=1 


< 


p 


By similar steps as before, the solution is given by 


if a; ^ 0 
if a; = 0 . 


Xi > Ai+i for 1 < ( < 2N 
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where rj is a global constant determined by the condition 


E 


r N 




p 

~2' 


(17) 


Here 77 depends only on the channel statistics and P. 


VI. High SNR asymptotics 

Let us consider a set of parallel channels. We want 
to study the asymptotic expected rate. Let us consider a 
fixed ordered channel vector (Ai, A 2 , • • • , X 2 n) to start with. 
Note that in the case of a {2N x ub) MIMO system 
with precoding, there are 2N channels. If ub < N, then 
there are ub useful pairs of channels with channel gains 
(Ai,Ai),(A 2 ,A' 2 ),--- , (A„^, A;^), where a; = A27v-z+i = 0, 
for I = 1,2, •• • ,nB- If N < ub < 2iV, then there are N 
parrs. {2N — ub) of them have the second channel gain zero, 
more specifically, A^ = • • • = X'^^n-ub) ~ 

Clearly, 77 —^ 0 as P — 00 . So, P; —>■ 00 as P — 00 . Now, 
for a pair of channels with X\ = 0, the rate contributed by the 
pair i^ 


Ri = log (1 + PiX^) 

^ log(P 7 A?). (18) 


So, 


E 

lim •— 
P—>^00 

E 


logP (usmg(|£l|) 

P—>^00 

E 

logP (usingl]^) 

Ei:A;=o(log(-PO - log(77P/)) 

P—>^00 

E 

logP - P(log( 77 P)) 

Ei:A;=o(-log(^)) 

-P(log(? 7 )) 

P[|{L a;=o}|] 


Here ( |2^ follows from and ( |2^ . Thus our protocol 
achieves the OT-multiplexing gain of 

{ hb if Ub < N 

2N — Ub if N < Ub < 2.N 
0 if ns > 2N. 

In contrast, for communication over a 2N x hb MIMO 
channel, the multiplexing gain is mining, 2A^}. For ub > 
2N, the average OT rate converges to a constant as P —?► 00 . 
This can be seen as a consequnce of the fact that the secrecy 
capacity of the Gaussian wiretap channel goes to a constant 
as P —>■ 00 . 


For such a channel pair. 




V V X^i, 
TjPi —1 as 77 — 7 ^ 0 

When A; ^ 0 and A; ^ X[, as 77 —>• 0, 


So, for such channel parrs. 


Ri = log (1 + RXf) - log (1 + P,Af) 
^ log as P 00 . 


P-s-oo log P 
^Here we mean Ri — log(PjA^) —>■ 0 as P —^ 00 


VII. Numerical results 

In this section, we provide numerical results of our OT 
protocols for some simple MIMO and OFDM channels which 


include the examples discussed in Section III 


(19) 


( 20 ) 


( 21 ) 


In Fig. we plot the OT rate of our protocol for 2x1 and 
2x2 MIMO channels. The average OT rate is numerically 
evaluated using Monte Carlo simulation methods for SNR 
varying from 0 dB to 50 dB. The channel capacities for these 
channels with CSIT are also numerically evaluated and shown. 
It can be seen that OT rate of 2 x 1 MIMO channel at SNR 
P dB is approximately equal to the capacity of 2 x 1 MIMO 
channel with CSIT at 3 dB lower transmit power. This is due 
to the fact that in our OT protocol, half of the power is given 
to the null-space of H which is useless for communication. 
OT rate of 2 x 1 MIMO channel increases at the rate of 1 
bit/3dB, as hot = 1- 

Using ( [2 T] i we see that at very high SNR, the OT rate for 


Now, using ( [T9] | and ( | 20 l l, the power constraint gives 

TjP —>■ 2{2N — Ub) as P — 00 . (22) 

Inspired by similar concepts for communication over MIMO 
channels, it is reasonable to define the OT-multiplexing gain 
as 

e[Y^^r,] 

= lini 




Recall 

t 


2x2 MIMO system is given by P « P 

that Ao,Af are the eigenvalues of the Wishart matrix HH^. 
The joint p.d.f. of the ordered eigenvalues, 70 = Aq, 7 i = 
Aj, is given by e-( 7 o+ 7 i)(^g _ 124 ] Theorem 2.17]. The 

asymptotic value of the OT rate is thus 


E 


log(^ 

V 71 


00 7 o 

/ / (^) “ 7i)^d7it^7o 

0 0 


= 1 + 21n(2) nats « 3.45 bits. 


In Fig.|^ OT rates for MIMO with 77 ^ = 4 and 1 < pb < 4 
are shown as a function of SNR. As expected from Section VI 
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Fig. 9. OT Rates for MIMO with = 4 transmit antennas, and tiq = 
1, 2, 3,4 receive antennas 


the best OT rate is achieved when ns = rtA/2 = 2, with 
asymptotic slope of 2 bits/3dB {hot = 2). The asymptotic 
slope for ns = 1 and ns = 3 is 1 bit/3dB (hot = !)■ For 
tT-B > 4, Hot = 0, and the rate is bounded. 



Fig. 10. OT Rate and OFDM capacity versus SNR for 2, 4 Channels OFDM 


In Fig. 10 we show the OT rate for 2-channels OFDM 
and 4-channels OFDM, along with the capacities of the 
corresponding channels. The OT rate of 2-channel OFDM 
converges to a constant as SNR increases, since hot = 
0. To find this constant, we note that |iJo| and |iTi| are 
i.i.d. with Rayleigh distribution. So |iToP and |iFip have 
exponential distribution. Let S = max(|iLoPi |F^iP) and 
T = min(|iLoP, \Hi\'^). Then the probability density functions 


of S and T are 2(1 —e ®)e ® and 2e respectively. As SNR 
increases, the OT rate for our protocol converges to 


ii^[log(S'/T)] = J J log('S/02(l — e ®)e ®2e ^*dsdt 
0 0 

= 21n(2) nats = 2 bits. 


The OT rate of 4-channels OFDM also converges to a constant 
and HOT = 0. 


VIII. Conclusion 

We presented a technique for OT over parallel fading 
AWGN channels with receiver CSI with application to OFDM 
and MIMO. For privacy of Bob against Alice, our techniques 
use primarily Bob’s exclusive knowledge of the fading states, 
whereas the additive noise is utilized for privacy of Alice 
against Bob. 

In AWGN channels, the noise realization is used to per¬ 
form OT in 0, 1221. Following similar principle, the noise 
realization can potentially be further utilized in our setup to 
achieve better rate. In particular, for a single point-to-point 
fading channel or for parallel fading channels with the same 
fading coefficient, an obvious scheme is for Bob to first reveal 
the channel state to Alice over the noise-free channel. Then 
they can follow a protocol suitable for the resulting AWGN 
channel. However, as pointed out in ll22l . the OT rate saturates 
to a constant as P —> oo in AWGN channels. Thus further 
utilization of the noise realization in our protocol will not 
only result in a much more complex protocol, but it will also 
not provide any additional asymptotic OT-multiplexing gain. 

With an odd number of OFDM channels, or an odd number 
of transmit antennas in a MIMO system, we have an odd 
number of parallel channels. In such a case, our protocol will 
leave one channel of middle rank in strength unused. That 
channel-state can be revealed to Alice by Bob, and the OT 
protocol of fT2\ can be used in the resulting AWGN channel. 
This also does not give any asymptotic {P oo) improvement 
in terms of multiplexing gain. 

Altogether, the technique proposed in this paper can be 
an important tool for performing OT efficiently over wireless 
channels. 


Appendix A 
Proof of Theorem[T] 

Lemma 2 If Pi > P 2 , a > j3, then (1 -I- Pia)(l -I- P 2 P) > 
{l + Pip){l + P2a). 

Proof: We first note the following basic fact. 

Claim: If cc, y > 0 , | > 1, then /(a) = is a 
monotonically decreasing function of a. 

Proof of the claim: It can be easily checked that ^ = 
, '^7^2 < 0 Va. Thus the claim follows. 

(y+ay 

Now by the hypothesis of the lemma, a > P and ^ 

Thus by the above claim. 



























II 




< 




_^ aP2 + 1 ^ aPi + 1 

^ /3P2 + 1 pPi + l 
=^ (1 + aPi)(l + m) > (1 + aP2)(l + /3Pi) 


Lemma 3 For any l,j G {1, 2,..., N}, an optimal protocol 
can not have Xki) > Xk{i) > Xi(^j) > Xk(j)- 

Proof: We will show that under the above condition, the 
pairing can be improved strictly with the same power allo¬ 
cation. Let us consider another pairing dehned by £'(•), fc'( ) 
such that 


e{t) = e{t) yt ^ j 

ifj) = k(i) 

k'{f) = k{t) Vt 7^ I 

k'{l) = £{j) 

That is, k{l) and £{j) are interchanged. Clearly £', k' dehne 
a valid pairing. Consider the same power allocation. Only the 
rates Ri,Rj will change to Pj,P' (say). 


Ri + Rj 


p; + p' 


(P/ + Rj)- {R'l + P') 


°'(1 + P,aL,)(1 + /^A2,^,) 

_ + PjKii)) 

°®(1 + PA 2(,))(1 + P , A ^,(^.)) 

°‘(l + flA^,„)(l + P,A2,„) 
< 0 (since Af(j) < Afc(;)) 


Thus R'l + R'j > Ri + Rj . Since P* = R[ \/t l,j, the 
new pairing gives more rate with the same power allocation. 


Lemma 4 For an optimal protocol 

Xi(i) > Xk(j) y I, j- 
Proof: If this is not true, then suppose 
Xe{i) < Xk(j) for some l,j 

Then 

Xt,{j) > Xk(j) > Xti^i) > Afc(i) 

which can not be true by Lemma 
Lemma 5 For an optimal protocol 


^ Xe(i) > Xi(j) > Xk(i) > Xk(j) 

as A^(;) > Xk(i) > A^(j) > Xk(j) can not be true by 
Lemma [3 
Case 1: P; > Pj 
By Lemma 13 

10g(l + PiA^.(;)) + 10g(l + PjX\^j~^) 

> log(l + PjA|(;)) + log(l + PiXl^jj) (24) 

Consider a different pairing I, k' such that 

f Ht) ; 1 7^ i,j 
kft) = I k{l) ;t = j 
[ k{j) ; t = l 

i.e. k{l), k{j) are interchanged. Then the new rate P' is such 
that 


N 

R'-R = ^(P(-Pt) 

= (p; - po + (p; - P,) 

= (P(+P')-(Pz + P,) 

= log(l + P,A£(i))-log(l + PiA^(^-)) 

+ log(l + PjA^(^)) - log(l + PjX^i-^) 
- 10g(l + PiA^(;)) - 10g(l + PiA^(;)) 

+ log(l + PjX^f^j^) — log(l + PjX^j-j) 

> 0 by 


Thus the new pairing strictly improves the rate. 

Case 2: Pi < Pj 
By Lemma 13 

log(l + PjX'ji^i-j) + log(l + PiXji^j^) 

> log(l + PiX^^i^) + log(l + PjX^gf^j)) (25) 
Consider a different pairing £', k such that 

f i{t) ; t 7^ l,j 
£'it)={ £{l) ■t = j 

I ^(j) £ = l 

i.e. £(l), £{j) are interchanged. Then the new rate P' is such 
that 


R'-R = (p;+ p') _ (p,+ p^.) 

= log(l + PjXji^i^) + log(l + PiXjy^) 

— log(l + PiA|(i)) — log(l + PjXj(^i^) 

> 0 by 

So the new pairing strictly improves the rate. This completes 
the proof of the lemma. ■ 

Now let us assume, without loss of generality, that the pairs 
are indexed such that 


^e{l) > ^l(j) ^ ^k{l) < ^k{j)- 

Proof: By contradiction, suppose I, j are such that 


A,(/) > A,(i+i) yi = l,2,---,N (26) 

and 


A^(i) > Xe(^j) 


and Xk(^i) ^ ^k(j) 


Xk{i) < Afc(z+i) whenever Af(;) = Af(i+i) (27) 
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for Z = 1,2, • • • ,iV. 

Proof of Theorem Let us define 

a{l)=i{l) forZ = l,--- ,iV. 

and 

(j{l) = k{2N - I P 1) for/ = 7V+l,--- ,2Af. 

We now need to prove that \a{i) > Acr(i+i) V 1. 

For Z = 1, 2, • • • , TV—1, this follows from ( [26l l. For I = N, this 
follows from Lemma For N < I < 2N, if Acr(;) < Act(z+i), 
then 

Afe(j_i) > Afe(j) where j = 2N — Z + 1 > 1 

But then 

A^(j-i) > A^(j) > Xk(j-i) > Afc(j) 

This contradicts either (|2^ or Lemma Thus it must be true 
for TV < Z < 2A^ that 

Act(/) > ACT(i+i) 

This completes the proof of the Theorem. 
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